Monday, 23 November 2015

The password strength requirements for Hosted Email and Hosted Exchange are changing. On January 6, 2016, the Control Panel and Webmail interfaces will begin enforcing new rules when setting or changing a password.

The password rules will now be consistent for both Hosted Email and Hosted Exchange. The new password strength requirements are:
  • Must be at least 8 characters long
  • Must contain 3 of the following:
  • Uppercase letter
  • Lowercase letter
  • Number
  • Special character or space
On January 20, 2016, all Email API's will be updated to validate new or changed end user passwords according to the new rules. If you use the Administrative APIs, this change may require you to update your integration code. Also, if you use the Directory Sync utility, you may need to adjust your password policy.

After January 20th, when attempting to set a password that doesn't match these new requirements, an error response will be triggered from the API. You can - and should - update your code to respect the new requirements now. Please refer to the REST or SOAP documentation for error code specifics.

This change will not force any existing users to change their password, regardless of the strength of that password. For that reason, we recommend periodically changing email passwords.

If you have any additional questions, please contact your support team.
Wednesday, 11 November 2015

Earlier this year we faced a severe DDOS attack against our IP address that caused issues for some users accessing some of our domains. Mail service remained unaffected and webmail was also accessible through an alternate url, if the usual webmail site was unavailable. We apologize for the inconvenience and disruption following this unfortunate ‎incident. We have conducted a complete root cause analysis to find out what when wrong and how we can better deal with future attacks.

DNS Architecture

Our DNS servers are spread out over 16 IPs, in 4 data centers. Each server is isolated at both network level and physically, equipped with bandwidth capacity, network gear etc.

Client domains using our dns

Every domain name registered through Thexyz, a free managed dns hosting service is offered. Each domain is split into 4 name servers and the graphic below illustrates this.

‎ is registered with us and gets 4 Name servers: ,, and

Each name server has 4 dedicated IP addresses and in total, we serve our DNS traffic through 4 data centers, each with 2 physical servers which gives us a capacity of 16 GBps network throughput.

On each of these DNS servers we run a optimized version of PowerDNS with a capacity of 50000 qps. The total theoretical capacity of our DNS cluster is around 400,000 qps.

DDoS Mitigation Capacity

As mentioned before, our DNS servers are hosted at SteadFast and SteadFast\'s network has been battle tested many times before during similar DDOS attacks. Each of the Data centers are equipped with multiple 10Gbps or 40 gbps transit links to the network. The data center also uses Arbor Peakflow for DDOS detection and Arbor TMS for DDOS mitigation. Each of the Arbor TMS systems are capable of mitigating 10+ gbps of attack traffic.

‎What went wrong?

Usually when we see a DNS Server IP address getting attacked and they usually get null routed, it is often only attacking just a few of the 16 IP\'s. This activity is pretty common and we see two or three such incidents every week. We have always maintained our service levels during all such incidents.

At its peak during the recent attack, we received 40+ gbps traffic spread out across all our 16 DNS server IP Addresses. The attack traffic was moving from one IP Address to the other at rapid succession. To prevent instability on the data center, they null routed our IP Addresses. The null route is a rule to drop all traffic destined to our IP address at the data center’s upstream internet service provider.

‎The problem with our setup

Issue 1: Relying solely on data center for DDOS mitigation capabilities.
Issue 2: We are bound to /32 static IP addresses. We are not utilizing our own /24 subnets to host the DNS servers. By using our own /24 subnets, we could have swung the traffic to our third party DDOS mitigation partner, Neustar.
Issue 3: All customer name servers point to the same IP addresses. So when attack happens and causes disruption for all customers using our DNS servers.

To solve these problems, we have planned a new DNS architecture and deployed this for use on our DNS services.

The new DNS architecture

Our new managed DNS infrastructure architecture is explained below:
We have moved the current DNS server IP Addresses to our own IP Subnets. This ensures we have the ability to use Neustar for DDOS mitigation when needed. All our data centers are already protected by Neustar. We will also start bucketing customers across different IP addresses so that an attack on a domain in one set, will not disrupt DNS service to customers in other sets.

We will start introducing local DNS services in other geographical regions where we have a data center presence and use Anycast. With Anycast, an attack originating from a particular region will only affect that region, while other regions remain unaffected. The affected region will use Neustar DDOS mitigation to mitigate the attack‎.

We sincerely regret and apologize for the inconvenience caused. We understand that you rely on us and to that effect, we’ll continue to render our services to the best of our ability to serve your business with utmost reliability.
Friday, 6 November 2015

We have released a new feature in Webmail to enhance privacy for Webmail users. When a user receives an email with links to externally hosted images, those images will not be displayed immediately. Instead, a bar will show up at the top of the email to indicate that images are being blocked. The user can click "Show Images" or "Always show images for this sender" to display the images. 

This is important because users may not realize that even if they delete an email without responding, they may still be sending information to third parties. Some messages contain links to images hosted on a separate server from their email. To display one of these images, their email client makes a request to the image server. This request includes their IP address, browser version, and any cookies the image server has set. Taken together, the server can use this information to track their online behavior. This is common practice, but we think users should have a choice about who can collect their information. That's why we've implemented protection against external image tracking in Webmail.

Can I turn this feature on or off?

Yes. By default the feature is turned on but you can turn it off by following these directions:
  1. In the Settings dialog box, click General Settings.
  2. On the Email Options tab, clear the Block external images check box.
  3. Click Save.

Monday, 2 November 2015

We have received a number of complaints from customers about a phishing email, which pretends to be sent by our registrar – Thexyz., by eNom, by LiquidNet Ltd or by Public Domain Registry.

Global phishing attacks are common nowadays. However, this particular one goes one step further, stirring confusion by including a specific domain name that is owned by the given recipient, rather than some random content.

The accurate domain owner information, coupled with the sense of urgency created by the phishers themselves, have caught many users off guard and have prompted them to click on links, which lead to virus-infected websites.

Fortunately, many of the hosts of the phishing sites have been notified and the harmful pages have been suspended. However, this does not exclude the possibility that other infected pages may still be circulating around. Here is an example of the email that has been circulating around.

What should you do when you receive an email like this?


A quick way to verify if the email sender in the header is authentic is to always hover over the link itself to see where it’s going.

Here is an example of how a phishing email’s Return-Path header would look like:

Received: from

Mobile phone users can press and hold the link to see the full URL.

If you are still in doubt, forward any emails you are unsure of to and we will reply back shortly.

Subscribe by email

Enter your email address:

Subscribe to more feeds

Trending Posts

Blog Archive


News (65) Web Hosting (48) security (25) Email (19) webmail (19) Advertising (15) Thexyz Cloud (14) Tutorials (13) Video (4) resellers (2)